b'\x0cOffice of the Inspector General\n\nReview of Smithsonian Institution\n Information Security Practices\n\n  OIG Report Number M-05-03\n\n\n\n         February 16, 2006\n\x0cSmithsonian Institution OIG                                                                                                                         FY2005 FISMA Review\n\n\n\n\n                                                                   TABLE OF CONTENTS\nINTRODUCTION ............................................................................................................................................................1\n      PURPOSE............................................................................................................................................................... 1\n      BACKGROUND .................................................................................................................................................... 1\n      OBJECTIVES, SCOPE, AND METHODOLOGY................................................................................................ 2\n\nRESULTS ...........................................................................................................................................................................3\n      SYSTEM INVENTORY DOES NOT IDENTIFY ALL OF THE INSTITUTION\xe2\x80\x99S MISSION-CRITICAL\n      SYSTEM INTERFACES......................................................................................................................................... 4\n      CERTIFICATION AND ACCREDITATION PROCESS NEEDS IMPROVEMENT........................................ 5\n      SPECIALIZED IT SECURITY TRAINING NOT PROVIDED TO ALL EMPLOYEES WITH SIGNIFICANT\n      COMPUTER SECURITY RESPONSIBILITIES................................................................................................... 9\n      IMPROVEMENTS NEEDED TO FACILITATE THE ANNUAL FISMA EVALUATION PROCESS ........... 10\nMANAGEMENT COMMENTS ........................................................................................................................................ 11\n\nOFFICE OF THE INSPECTOR GENERAL RESPONSE.................................................................................................. 12\n\nAPPENDIX.......................................................................................................................................................................... 14\n\n\n\n\n                                                                                          i\n\x0cSmithsonian Institution OIG                                                            FY2005 FISMA Review\n\n\n\n\nINTRODUCTION\n\nPURPOSE\n\nThe E-Government Act of 2002 (Pub. L. No. 107-347), which includes Title III, the Federal\nInformation Security Management Act of 2002 (FISMA), was enacted to strengthen the security\nof federal government information systems. Although the E-Government Act of 2002 does not\napply to the Smithsonian, the Institution supports the information security practices required by\nthe Act because they are consistent with and advance the Smithsonian\xe2\x80\x99s mission and strategic\ngoals.\n\nFISMA outlines federal information security compliance criteria, including the requirement for\nan annual independent assessment by the Institution\xe2\x80\x99s Inspector General. This report presents\nthe results of the Smithsonian Institution Office of the Inspector General\xe2\x80\x99s (OIG) annual\nevaluation of the information security controls implemented by the Institution.\n\nBACKGROUND\n\nFISMA, Office of Management and Budget (OMB) regulations and National Institute of\nStandards and Technology (NIST) guidance outline minimum security requirements for federal\ninformation security programs. These include:\n\n        \xe2\x80\xa2    Annual System Self-Assessments. NIST\xe2\x80\x99s Security Self Assessment Guide for Information\n                                1\n             Technology Systems contains specific control objectives and techniques against which a\n             system can be tested and measured. Performing a self-assessment and mitigating any of\n             the weaknesses found in the assessment is an effective way to determine if the system or\n             the information it contains is adequately secured and protected from loss, misuse,\n             unauthorized access, or modification. OMB guidelines require organizations to use the\n             NIST self-assessment tool annually to evaluate each of their major systems.\n\n        \xe2\x80\xa2    Certification and Accreditation. NIST\xe2\x80\x99s Guide for the Security Certification and\n             Accreditation of Federal Information Systems2 states that systems should be certified and\n             accredited. A certification is \xe2\x80\x9ca comprehensive assessment of management, operational,\n             and technical security controls in an information system, made in support of security\n             accreditation, to determine the extent to which the controls are implemented correctly,\n             and operating as intended.\xe2\x80\x9d NIST guidance also discusses system accreditation, which is\n             \xe2\x80\x9cthe official management decision to authorize operation of an information system and\n             to explicitly accept the risk to operations, assets, or individuals based on the\n             implementation of the agreed-upon set of security controls.\xe2\x80\x9d Organizations should use\n             the results of the certification to reassess their risks and update system security plans to\n             provide the basis for making security accreditation decisions.\n\n\n\n\n1\n    NIST Special Publication 800-26, November 2001.\n2\n    NIST Special Publication 800-37, May 2004.\n\n\n                                                      1\n\x0cSmithsonian Institution OIG                                                            FY2005 FISMA Review\n\n\n\n\n        \xe2\x80\xa2    System Security Plan. NIST\xe2\x80\x99s Guide for Developing Security Plans for Information\n                                 3\n             Technology Systems requires that all major applications and general support systems be\n             covered by a security plan. The plan provides an overview of the security requirements\n             of a system and describes controls in place or planned for meeting those requirements.\n             Additionally, the plan defines responsibilities and the expected behavior of all individuals\n             accessing the system. The NIST guide also instructs that the security plan should\n             describe the management, operational, and technical controls the organization has\n             implemented to protect the system. Among other things, these controls include user\n             identification and authentication procedures, contingency/disaster recovery planning,\n             application software maintenance, data validation, and security awareness training.\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nRichard S. Carson & Associates, Inc., on behalf of the OIG, performed an independent evaluation\nof the Institution\xe2\x80\x99s information security program.\n\nThe purpose of the independent evaluation was to assist the OIG in meeting its FISMA obligation\nfor an independent assessment of the Institution\xe2\x80\x99s information security program in accordance\nwith OMB Fiscal Year (FY) 2005 reporting guidelines. The objectives of the independent\nevaluation were to:\n\n       \xe2\x80\xa2    Determine the effectiveness of Institution information security policies, procedures, and\n            practices.\n       \xe2\x80\xa2    Review the network/system security of a representative subset of the Institution\xe2\x80\x99s major\n            application and general support systems.\n       \xe2\x80\xa2    Assess the Institution\xe2\x80\x99s compliance with FISMA and related OMB and NIST information\n            security policies, procedures, standards, and guidelines.\n       \xe2\x80\xa2    Assess the Institution\xe2\x80\x99s progress in correcting weaknesses identified in the FY 2004 Plan of\n            Action and Milestones (action plan).\n\nIn support of these objectives, the evaluation team conducted a qualitative review of the\nInstitution\xe2\x80\x99s information security program, specifically evaluating the degree of compliance with\napplicable OMB and NIST criteria for a security program and evaluating the effectiveness of\nautomated and manual security controls for the Institution\xe2\x80\x99s general support and mission-\nessential systems. The evaluation included a cursory review of all 14 systems and a more\ncomprehensive review of two systems:\n\n       \xe2\x80\xa2    Smithsonian Institution Network Infrastructure, General Support System, and\n       \xe2\x80\xa2    Smithsonian Institution Research Information System (SIRIS), Major Application.\n\nThe team\xe2\x80\x99s evaluation was based on interviews with Office of the Chief Information Officer\n(OCIO) staff, prior OIG reports of Institution systems, and a document review to assess\ncompliance with OMB and NIST guidance.\n\nThe evaluation was conducted at the Smithsonian\xe2\x80\x99s OCIO Security Operations Division between\nAugust 17, 2005 and September 30, 2005, and was supplemented with a review of additional\ndocumentation provided by OCIO through January 2006.\n\n3\n    NIST Special Publication 800-18, December 1998.\n\n\n                                                      2\n\x0cSmithsonian Institution OIG                                                       FY2005 FISMA Review\n\n\n\n\nRESULTS\nOCIO has established a comprehensive framework for ensuring the security of federal\ninformation systems within the Smithsonian Institution. In accordance with NIST standards,\nOCIO has developed minimum-security controls for the Institution, which include:\n\n     \xe2\x80\xa2   Maintaining an inventory of federal major information systems and applications and\n         identifying the levels of security appropriate to protect such systems and applications;\n\n     \xe2\x80\xa2   Establishing an Institution-wide information security program prescribing security\n         practices and acceptable system configuration requirements;\n\n     \xe2\x80\xa2   Performing system certifications and accreditations to ensure that security controls are in\n         place and functioning as intended;\n\n     \xe2\x80\xa2   Annually assessing the risk of unauthorized access and disruption of information systems\n         that support the operations of the Institution;\n\n     \xe2\x80\xa2   Documenting an action plan to track remediation of security vulnerabilities identified in\n         annual self-assessments, vulnerability tests, and OIG reports;\n\n     \xe2\x80\xa2   Periodically testing and evaluating the effectiveness of information security policies and\n         practices;\n\n     \xe2\x80\xa2   Reporting and responding to security incidents;\n\n     \xe2\x80\xa2   Providing security awareness training to inform employees and contractors of their\n         responsibilities in complying with Institution security policies; and\n\n     \xe2\x80\xa2   Establishing plans for ensuring continuity of operations for systems that support key\n         operations of the Institution.\n\nWhile the framework established by OCIO addresses all of the critical components needed to\nprotect the Institution\xe2\x80\x99s federal information system assets, our evaluation identified the following\nareas where implementation of the Institution\xe2\x80\x99s security program could be improved:\n\n         \xe2\x80\xa2   Inventory of Major Systems. OCIO\xe2\x80\x99s inventory captures major federal information\n             technology (IT) investments that the Institution is required to report to OMB through\n             the Exhibit 300 process. According to the Chief Information Officer (CIO), these\n             systems account for about 94 percent of all federal IT expenditures. While OCIO\xe2\x80\x99s\n             approach generally satisfies FISMA reporting requirements, we noted the inventory\n             does not identify all key interfaces between systems and networks, or links with third\n             parties.\n\n\n\n\n                                                  3\n\x0cSmithsonian Institution OIG                                                                                            FY2005 FISMA Review\n\n\n\n\n             \xe2\x80\xa2    Certification and Accreditation Process. Systems were certified and accredited\n                  without meeting all minimum security controls required by NIST and OMB guidance,\n                  and were not reaccredited when significant changes occurred in the information-\n                  processing environment. Also, none of the security plans for the 14 systems were\n                  updated to reflect the status of compliance with security configuration checklists, and\n                  only 4 of 12 security plans completed prior to FY 2005 were updated to reflect the self-\n                  assessment results or other changes. Of note, the security plan for the general support\n                  system was not updated nor a reaccreditation performed when new controls and\n                  services were implemented. Further, the Smithsonian Astrophysical Observatory\n                  (SAO)4 system is hosted on Harvard University\xe2\x80\x99s network without an interconnection\n                  agreement that specifies the roles and responsibilities of the Institution and Harvard\n                  regarding the respective security controls that must be maintained.\n\n             \xe2\x80\xa2    Specialized IT Security Training. According to the CIO, only 49 of the 81 individuals\n                  identified as having significant computer security responsibilities completed\n                  specialized security awareness training in FY 2005. OCIO relied on employee self-\n                  reporting at the end of the fiscal year and could not provide detailed information on\n                  courses taken and dates completed to document compliance with this requirement.\n                  To formally track specialized IT security training in FY 2006 the CIO will rely on the\n                  recently implemented training module in the Human Resources Management System.\n\n       Additionally, the following improvements are needed in OCIO\xe2\x80\x99s reporting practices to better\n       facilitate our annual evaluation of the Institution\xe2\x80\x99s security program:\n\n             \xe2\x80\xa2    Action Plan. OCIO\xe2\x80\x99s practice of removing completed action items in the subsequent\n                  reporting quarter makes it difficult for the OIG and OMB to evaluate the progress\n                  made in addressing system vulnerabilities. Keeping mitigated items on the action\n                  plan for a year would be more in line with reporting instructions issued by OMB.\n\n             \xe2\x80\xa2    Annual System Self-Assessments. OCIO\xe2\x80\x99s and system owners\xe2\x80\x99 practice of\n                  completing annual self-assessments at the end of the fiscal year does not allow the\n                  Institution to adequately identify and mitigate security risks during the year through\n                  the action plan process. These assessments also occur too late for OIG consideration\n                  in its independent evaluation of the Institution\xe2\x80\x99s compliance with FISMA.\n\nSYSTEM INVENTORY DOES NOT IDENTIFY ALL OF THE INSTITUTION\xe2\x80\x99S MISSION-CRITICAL\nSYSTEM INTERFACES\n\nFISMA requires organizations to develop and maintain an inventory of major IT systems under\ntheir control or operated by a third party on their behalf, including all interfaces and links with\nother systems.5 According to OMB, major systems include those that are important to the\nmission or function of an entity; are used for financial management and obligate more than\n$500,000 annually; have significant program or policy implications; or have high executive\nvisibility. The Smithsonian\xe2\x80\x99s IT security program is directed at those major systems in its\ninventory.\n\n\n4\n    SAO is a member of the Harvard-Smithsonian Center for Astrophysics and a research facility of the Smithsonian Institution.\n5\n    FISMA Section 305(c)(2)(c)(1) and (2).\n\n\n                                                                         4\n\x0cSmithsonian Institution OIG                                                      FY2005 FISMA Review\n\n\n\n\nIn FY 2005, the CIO identified an inventory of 14 major systems comprising a general support\nsystem and 13 major applications, which he told us comprises about 94 percent of the\nInstitution\xe2\x80\x99s federal IT expenditures. The inventory includes two applications added since the\nend of FY 2004\xe2\x80\x94the Development and Membership Information System and the Human\nResources Management System\xe2\x80\x94and reflects only those systems that were reported to OMB on\nan Exhibit 300. According to the CIO, in November 2001, OMB agreed with the Institution\xe2\x80\x99s\napproach for identifying major systems.\n\nWhile the inventory generally complies with FISMA reporting requirements, it does not identify\nall key interfaces between the major systems and links to external parties. For example, the\ninventory does not include Donate Now, an Internet application that sends individuals who\ndonate funds to the Smithsonian to a third-party link for credit card authorization. Although\nthis application does not handle a significant amount of funds, because it transmits sensitive data\n(personal identification and credit card information), it should be included in the Institution\xe2\x80\x99s\ninventory as a critical interface for purposes of security planning. The CIO indicated that\nDonate Now underwent a security review before it was deployed, as required. Nevertheless,\nDonate Now should have been identified as a critical interface in the Institution\xe2\x80\x99s major system\ninventory for FISMA reporting purposes.\n\nRecommendation\n\n1. We recommend the CIO identify and include all system interfaces, including those that\n   transfer sensitive data, in its major system inventory to comply with FISMA reporting\n   requirements.\n\nCERTIFICATION AND ACCREDITATION PROCESS NEEDS IMPROVEMENT\n\nNIST\xe2\x80\x99s Guide for the Security Certification and Accreditation of Federal Information Systems6\noutlines system certification and accreditation requirements. It states that organizations should\nconduct a risk assessment to evaluate the extent to which security controls in the information\nsystem are implemented correctly and operating as intended. Based on the results of the risk\nassessment, management should update the system security plans as appropriate. This plan\nprovides the security requirements of information systems and describes the controls in place for\nmeeting those requirements. The organization should also prepare an action plan to correct\nknown vulnerabilities in security controls.\n\nNIST guidance further states that management\xe2\x80\x99s risk assessment, security plan, and action plan\ncomprise the accreditation package. During the accreditation phase, authorization to operate the\nsystem is either granted or denied based on a determination of whether remaining system\nvulnerabilities pose an acceptable level of risk to the organization\xe2\x80\x99s operations. Finally, NIST\nguidance requires continuous monitoring of security controls and reaccreditation of systems\nwhen there is a significant change to the system and/or its operational environment.\n\n\n\n\n6\n    NIST Special Publication 800-37, May 2004.\n\n\n                                                 5\n\x0cSmithsonian Institution OIG                                                           FY2005 FISMA Review\n\n\n\n\nOur evaluation identified the following areas where the Institution needs to strengthen its\ncertification and accreditation process:\n\n        \xe2\x80\xa2    None of the security plans for the 14 major systems were updated to reflect the status of\n             compliance with the Institution\xe2\x80\x99s security configuration standards or major changes to\n             systems and/or their operational environment.\n\n        \xe2\x80\xa2    Six of the 14 major systems reviewed did not have finalized disaster recovery plans and\n             1 system had no disaster recovery plan. The IT Security Specialist confirmed the status of\n             these plans. Further, while the CIO conducted a tabletop test of the disaster recovery\n             plan for the general support system, a full cutover and recovery test would provide\n             greater assurance that the plan will work. Since the CIO will have to revise and retest the\n             disaster recovery plan when the general support system is relocated to Herndon, Virginia,\n             he should perform a full cutover test after the move.\n\n        \xe2\x80\xa2    SAO\xe2\x80\x99s system is hosted on the Harvard University network without an interconnection\n             agreement between the Smithsonian and the university.\n\n        \xe2\x80\xa2    The Institution did not reaccredit its general support system when new controls and\n             services were implemented.\n\nSecurity Plans for the 14 Major Systems Were Not Updated\n\nNone of the 14 major systems were updated to reflect the status of compliance with security\nconfiguration checklists. NIST\xe2\x80\x99s Guide for the Security Certification and Accreditation of Federal\nInformation Systems7 requires IT security plans to contain the most up-to-date information about\nthe security of information systems. Although the frequency of system security plan updates is at\nthe discretion of the system owner, major changes to an information system should be reflected\nin the system security plan. The CIO acknowledged that system security plans were not updated\nto reflect the status of configuration compliance. However, he indicated that as the accrediting\nofficial, he is aware of the status of configuration compliance of the major IT systems through\nalternate means. Nevertheless, NIST standards require that security plans be updated to provide\nsystem owners and senior officials assurance that effective security controls are in place. Doing so\nprovides full accountability for any adverse impacts to organizations should a breach of security\noccur. The security plans also guide any future security certification and accreditation activities.\n\nIn addition, we noted that the security plan for the Institution\xe2\x80\x99s general support system had not\nbeen updated since September 10, 2003, even though OCIO expanded migration of servers to\nActive Directory, purchased and migrated SIRIS software to new servers, implemented new\nsystem controls and services, and installed firewalls. As a general practice, OCIO should be\nupdating system security plans as necessary based on the results of the annual self-assessments,\nother changes, and include compliance with security configuration standards. As discussed later\nin this report, the Institution conducts self-assessments at the end of the fiscal year\xe2\x80\x94too late in\nthe FISMA reporting cycle to determine whether deficiencies noted should have been addressed\nin security plan updates.\n\n\n\n7\n    NIST Special Publication 800-37, May 2004.\n\n\n                                                     6\n\x0cSmithsonian Institution OIG                                                      FY2005 FISMA Review\n\n\n\n\nIn January 2006, after our review was completed, the CIO provided us three security plan updates\nthat were not made available to us during our evaluation\xe2\x80\x94one for the Institution\xe2\x80\x99s Network\nInfrastructure, another for the Financial Enterprise Resource Planning System, and a third for the\nFacility Management System.\n\nSystems are Operating without Finalized Disaster Recovery Plans\n\nA key element of a system security plan is a disaster recovery or contingency plan that describes\nthe organization\xe2\x80\x99s arrangement for ensuring system continuity in the event of a service\n                                                                                              8\ndisruption. Further, NIST\xe2\x80\x99s Contingency Planning Guide for Information Technology Systems\nprovides that contingency plans should be tested to confirm the accuracy of individual recovery\nprocedures and the overall effectiveness of the plan.\n\nWe determined that seven major applications were authorized to operate without completed and\napproved disaster recovery plans. At the time of our review, the plans for the National Museum\nof Natural History collection information system, the National Museum of American Indian\ncollection information system and its registration information tracking system were stamped\ndraft. Plans for the collection information systems of the National Museum of American History,\nNational Air and Space Museum, and the Smithsonian Art Museums (ArtCIS) were undated.\nIn January 2006, the CIO provided us with additional documentation to show that there were\nviable plans for six of the seven major applications and stated that the seventh plan for the\nNational Postal Museum\xe2\x80\x99s collection information system was included in the ArtCIS disaster\nrecovery plan. However, none of these documents demonstrated that the disaster recovery plans\nhad been finalized (i.e. plans were undated, stamped draft, and/or lacked approval signatures).\nIn our view these plans should be presented as final documents and include appropriate\napprovals for accountability purposes.\n\nWe also found that the CIO performed a tabletop test of the general support system\xe2\x80\x99s disaster\nrecovery plan, instead of a full cutover and recovery test. While the tabletop testing method is\ngenerally acceptable, it requires only a walk-through of the procedures without the execution of\nactual recovery operations, and thus does not provide the same level of assurances that a\nfunctional cutover exercise would provide. Therefore, the Institution only has limited assurance\nthat the major applications hosted thereon will maintain connectivity should a major disruption\noccur. Because the Institution\xe2\x80\x99s major applications rely on the general support system to operate,\nthe CIO may want to consider performing more substantive functional exercises, such as a system\ncutover as part of the pending relocation of the Institution\xe2\x80\x99s data center and general support\nsystem to Herndon, Virginia.\n\nSAO Operates on a Non-Smithsonian System without an Interconnection Agreement\n\nOCIO accredited the SAO Scientific Computing System to operate on a non-Institution network\nwithout an interconnection agreement with Harvard University specifying the roles and\nresponsibilities of the Smithsonian Institution and Harvard regarding security controls that the\nuniversity must maintain. OMB Circular A-130, Appendix III, requires organizations to obtain\nwritten management authorization before connecting their IT systems to other systems, based on\n\n\n\n\n8\n    NIST Special Publication 800-34, June 2002.\n\n\n                                                  7\n\x0cSmithsonian Institution OIG                                                                                                FY2005 FISMA Review\n\n\n\n\nan acceptable level of risk. The written authorization should define the rules of behavior and\ncontrols that must be maintained for the system interconnection and be included in the\norganization\xe2\x80\x99s system security plan.\n\nIf the university network is compromised, the interconnection could be used as a conduit to\ncompromise the Institution\xe2\x80\x99s data as SAO has access to the general support system and the\nFinancial and Human Resource Management Systems through an interconnection with\nHarvard\xe2\x80\x99s network. Without a documented interconnection agreement that details the rules of\nbehavior9 and the security controls that must be maintained by the interconnecting systems, the\nInstitution does not know whether there is an acceptable level of risk. Further, the Institution has\nnot complied with OMB requirements for completing an adequate system security plan.\n\nSignificant System Changes Occurred with No Reaccreditation\n\nWe found that OCIO did not reaccredit the Institution\xe2\x80\x99s general support system after it\nunderwent significant changes. NIST\xe2\x80\x99s Guide for the Security Certification and Accreditation of\nFederal Information Systems10 stipulates that a system should be reaccredited periodically\nwhenever there is a significant change to the system or its operational environment. Examples of\nsignificant changes that could trigger reaccreditation include the installation of a new or\nupgraded operating system, middleware component, or application; modifications to system\nports, protocols, or services; and the installation of a new or upgraded hardware platform or\nfirmware component. Changes in laws, directives, policies, or regulations, while not always\ndirectly related to the information system, can also potentially affect the security of the system\nand trigger a reaccreditation action.\n\nIn response to the OIG\xe2\x80\x99s security audit of the Institution\xe2\x80\x99s general support system,11 OCIO\nimplemented new system controls and services, and installed firewalls. Additionally, OCIO\nexpanded the migration of servers to Active Directory and migrated SIRIS software to new\nservers. While individually these changes may not merit a reaccreditation, in our view, taken\ncollectively a reaccreditation is warranted to determine if the security controls were negatively\naffected by these changes. This has far-reaching implications because all applications hosted on\nthe general support system are vulnerable to any security weaknesses that may exist on the\ngeneral support system due to these changes. Because the Institution\xe2\x80\x99s data center and general\nsupport system are being relocated to Herndon, Virginia in FY 2006, a reccreditation of the\nsystem should not occur until after the move.\n\nRecommendations\n\nWe recommend that the CIO:\n\n2. Require units to update system security plans based on changes to security configuration\n   checklists, major system and operating environment changes, and the results of annual self-\n   assessments.\n\n\n\n9\n  The rules of behavior should clearly delineate the responsibilities and expected behavior of all individuals with access to the system and state the\n   consequences of noncompliance.\n10\n   NIST Special Publication 800-37, May 2004.\n11\n     Report Number A-04-05, Audit of the Smithsonian Institution Network Information System Controls, Office of the Inspector General,\n     January 6, 2005.\n\n\n                                                                          8\n\x0cSmithsonian Institution OIG                                                                                           FY2005 FISMA Review\n\n\n\n\n3. Develop a separate disaster recovery plan for the National Postal Museum\xe2\x80\x99s collection\n   information system and finalize the draft disaster recovery plans for the six major\n   applications discussed in this report.\n\n4. Work with Harvard University and SAO to establish an interconnection agreement between\n   the Smithsonian and Harvard University for the SAO Scientific Computing System as\n   required by NIST\xe2\x80\x99s Security Guide for Interconnecting Information Technology Systems.12\n\n5. Ensure that the general support system and affected major applications are reaccredited after\n   the primary data center and general support system are relocated to Herndon, Virginia.\n   Establish a process for ensuring that all major systems are reaccredited when significant\n   changes occur in systems and/or their operating environment, in accordance with NIST\n   guidance.\n\nSPECIALIZED IT SECURITY TRAINING NOT PROVIDED TO ALL EMPLOYEES WITH SIGNIFICANT\nCOMPUTER SECURITY RESPONSIBILITIES\n\nNIST guidance13 requires training for individuals whose roles in the organization indicate a need\nfor special knowledge of IT security threats, vulnerabilities, and safeguards. In FY 2005, the\nInstitution identified 81 individuals who had security-related duties with major information\nsystems. According to the CIO, these individuals were given access to online computer security\ntraining and at the end of the fiscal year were required to self-identify training completed during\nthe year. Of the 81 individuals, only 49 reported they had taken advanced security-related\ntraining. Tracking reports OCIO provided to us did not capture courses taken, hours of training\ncompleted, or course dates\xe2\x80\x94information that would be needed to provide assurances that the\ntraining was sufficient to satisfy NIST requirements.\n\nThe CIO informed us that a training module was added to the Human Resource Management\nSystem in September 2005 to track all training, including computer security training information,\nfor users with significant computer security responsibilities.\n\nRecommendation\n\nWe recommend that the CIO:\n\n6. Require that employees who have significant computer responsibilities report their plans for\n   meeting the specialized training requirements at the beginning of the fiscal year, and monitor\n   employee progress during the year to ensure that training is completed.\n\n7. Ensure, either through OCIO\xe2\x80\x99s current tracking process or the Human Resource\n   Management System, that in FY 2006 individuals identify course titles, hours, and completion\n   dates of specialized IT training to provide assurances that NIST training requirements are\n   satisfied.\n\n\n\n\n12\n     NIST Special Publication 800-47, August 2000.\n13\n     NIST Special Publication 800-16, Information Technology Security Requirements: A Role-Based Performance Model, April 1998, and NIST Special\n     Publication 800-50, Building an Information Technology Security Awareness and Training Program, October 2003.\n\n\n                                                                        9\n\x0cSmithsonian Institution OIG                                                      FY2005 FISMA Review\n\n\n\n\nIMPROVEMENTS NEEDED TO FACILITATE THE ANNUAL FISMA EVALUATION PROCESS\n\nCompleted Action Plan Items Need to be Retained for a Minimum of One Year\n\nOCIO maintains a consolidated list of system action items for the Institution, which it updates\nquarterly, as required by OMB. OCIO uses this list to track identified vulnerabilities related to\nmajor IT systems. OCIO removes \xe2\x80\x9ccompleted\xe2\x80\x9d action items in the reporting quarter subsequent\nto when the action was taken, and relies on program managers to maintain documentation of\ncompleted action plan items. Removing completed items quarterly makes OIG\xe2\x80\x99s and OMB\xe2\x80\x99s\nassessments of progress more difficult by requiring a comparison of quarterly reports to identify\nthe total number of deficiencies remediated. OMB\xe2\x80\x99s FY 2004 Reporting Instructions for the Federal\nInformation Security Management Act14 advises that deficiencies that have been completely\nmitigated for over a year should no longer be reported in the Institution\xe2\x80\x99s action plan. While the\nguidance does not expressly require that items remain on the list for a year after deficiencies are\ncorrected, doing so will provide a better audit trail for tracking the progress of the Institution\xe2\x80\x99s\nremediation activities, expedite the OIG\xe2\x80\x99s annual FISMA evaluation, and facilitate OMB\xe2\x80\x99s\noversight of the Institution\xe2\x80\x99s IT security program.\n\nSelf-Assessments\n\nFISMA Section 3544(b)(5) requires each organization to assess annually the effectiveness of its\ninformation security policies, procedures, and practices. This assessment should include tests of\nits management, operational, and technical controls.\n\nWe found that the Institution performed these assessments as required by NIST. However,\nbecause all but one of these assessments were completed at the end of the fiscal year, they were\nnot available for review during OIG\xe2\x80\x99s FISMA evaluation or for inclusion in OCIO\xe2\x80\x99s FISMA\nreport to OMB, which is due by the beginning of October each year. Consequently, deficiencies\ndiscovered during the self-assessment process cannot be fully addressed in updates to the system\nsecurity plans, risk assessments, and action plans until after the FISMA reporting deadlines. The\nCIO has agreed that the self-assessments need to be completed earlier and indicated that he will\nencourage system owners to complete self-assessments by July 30 of each year. This change will\nfacilitate the OIG\xe2\x80\x99s annual FISMA evaluation and provide for more timely updates of security\nplans when significant changes occur.\n\nRecommendations\n\nWe recommend the CIO:\n\n8. Keep completed items in the action plan for one year after they have been fully mitigated.\n\n9. Ensure self-assessments are completed and available no later than July 30 of each year.\n\n\n\n\n14\n     OMB Memorandum 04-25, August 23, 2004.\n\n\n                                                 10\n\x0cSmithsonian Institution OIG                                                          FY2005 FISMA Review\n\n\n\n\nMANAGEMENT COMMENTS\nWe provided management a draft report on January 20, 2006, and received formal written\ncomments on February 7, 2006. Management\xe2\x80\x99s comments are included in their entirety in the\nAppendix to this report.\n\nManagement generally agreed with the report findings and conclusions related to its major\nsystem inventory, tracking of specialized IT security awareness training, and improvements\nneeded in the timing of annual self-assessments. However, management disagreed with\ndeficiencies we noted in its certification and accreditation process and the need to retain for\n1 year mitigated IT security weaknesses on its Plan of Action and Milestones Report.\n\nSpecifically, management does not agree that major IT systems were accredited without disaster\nrecovery plans or that the general support system (IT infrastructure) needed to be re-accredited\nbecause new controls and services were added. The CIO believes there were no significant\nchanges to the hardware, software, or firmware during FY 2005 that warranted a recertification of\nthe general support system. Also, while OCIO acknowledges it needs to clean up its paperwork, it\ncontends that disaster recovery plans did exist for all of the seven major systems discussed in the\nreport. Management stated that the OIG\xe2\x80\x99s concern that the plans were not dated or were\nstamped \xe2\x80\x9cdraft\xe2\x80\x9d is form over substance, and that the Postal Museum collection information\nsystems plan was combined with the ArtCIS plan. Furthermore, in reference to our\nrecommendation on reporting mitigated security weaknesses, management does not agree with\nthe IG\xe2\x80\x99s position that these should be retained for 1 year on the FISMA Plan of Action and\nMilestones Report.\n\nDespite these disagreements, management concurred with recommendations 1, 2, 3, 4, 6, 7, and\n9; partially concurred with recommendation 5; and non-concurred with recommendation 8. In\nits response, management stated that implementing the report\xe2\x80\x99s recommendations will\nstrengthen the Institution\xe2\x80\x99s security accreditation process for major IT systems. Management\xe2\x80\x99s\nplanned actions are summarized below:\n\nRecommendation 1. The CIO agreed to include IT system interfaces in its major system\ninventory by February 10, 2006. However, the CIO disagrees that Donate Now is a major IT\nsystem for reporting purposes as it is not critical to the Institution\xe2\x80\x99s operations, costs far less than\n$500,000 to operate annually, and has brought in less than $40,000 in donations since\nOctober 2004.\n\nRecommendation 2. OCIO states there is not a requirement to update system security plans\nunless there is a significant change. However, it will revise the Technical Standard and Guideline\nIT-930-01, IT Security Planning, by April 30, 2006, to require annual updates to security plans to\ndocument compliance with the Institution\xe2\x80\x99s security configuration standards.\n\nRecommendation 3. OCIO stated that it would create a separate disaster recovery plan for the\nNational Postal Museum\xe2\x80\x99s collection information system by February 10, 2006, but did not\nindicate whether it would finalize disaster recovery plans for six other major applications.\n\nRecommendation 4. OCIO agreed to work with SAO and Harvard University to establish an\ninterconnection agreement by July 30, 2006. In subsequent discussions, the CIO told us he also\nplans to establish an interconnection agreement with National Finance Center for payroll\nservices.\n\n\n                                                   11\n\x0cSmithsonian Institution OIG                                                                                             FY2005 FISMA Review\n\n\n\n\nRecommendation 5. OCIO will re-accredit the IT infrastructure and affected major IT systems\nonce the relocation to Herndon, Virginia is complete.\n\nRecommendation 6. OCIO stated it will work with OHR to ensure that Individual Development\nPlans for employees with specialized IT security training needs include IT security training and to\nmonitor results.\n\nRecommendation 7. OCIO will work with the Director of OHR to ensure IT security training\nreports identify course titles, hours, and completion dates.\n\nRecommendation 8. OCIO does not believe there is a reporting requirement to retain completed\nitems on the action plan for a year after they have been fully mitigated, and plans no action in\nresponse to the recommendation.\n\nRecommendation 9. OCIO will revise the self-assessment guidance to require completion of the\nassessments by July 30 of each year.\n\nOFFICE OF THE INSPECTOR GENERAL RESPONSE\nIn evaluating management comments to this report, we held several discussions with the CIO\nand the IT Security Director in an effort to clarify the areas of disagreement. We continue to\nbelieve that the CIO should have reaccredited the general support system. In addition to\ninstalling firewalls and migrating servers to Active Directory, the CIO made several changes to\nnetwork security and to operating and application configurations in response to our\nJanuary 2005 audit of the Institution\xe2\x80\x99s network controls,15 which should have triggered a\nreaccreditation. Nevertheless, the OIG and OCIO agree that the move of the data center and\ngeneral support system to Herndon, Virginia, will require reaccreditations of many of the\nInstitution\xe2\x80\x99s major IT systems.\n\nWe are encouraged that management recognizes the need to improve its documentation of\nsystem disaster recovery plans. While the CIO downplayed the importance of finalizing these\nplans, FISMA evaluation guidance requires that we review evidence of completion of these plans.\nThe fact remains that the plans presented to us during our review and again in January 2006 were\nstamped draft, undated, and/or lacked approval signatures. After issuing our draft report, we\nlearned that OCIO had finalized the remaining six disaster recovery plans. We will revisit this\nissue in our FY 2006 FISMA evaluation.\n\nManagement also did not agree to include Donate Now in its IT inventory for FISMA reporting\npurposes. We note that FISMA requires the identification of interfaces with each major system in\nthe organization\xe2\x80\x99s inventory, including those not operated by or under the control of the\norganization. Although Donate Now is not a major system, it is an interface on numerous\nInstitution sites that directs the public to a third party that begins a credit card authorization\nprocess. The sensitivity of the data captured combined with the link to a third party elevates the\nimportance of this interface. Our FY 2006 FISMA evaluation will look closely at the Institution\xe2\x80\x99s\ninventory to ensure that it identifies all interfaces.\n\n\n15\n     Report Number A-04-05, Audit of the Smithsonian Institution Network Information System Controls, Office of the Inspector General,\n     January 6, 2005.\n\n\n                                                                        12\n\x0cSmithsonian Institution OIG                                                     FY2005 FISMA Review\n\n\n\n\nFinally, management disagreed that fully mitigated items need to remain on the CIO\xe2\x80\x99s Plan of\nAction and Milestones Report for 1 year. Because this disagreement centers on an interpretation\nof OMB guidance, we plan to seek clarification from OMB on its reporting instructions.\n\nManagement\xe2\x80\x99s planned actions for recommendations 1 through 7, and 9, are responsive to the\nintent of our recommendations and we consider them resolved. However, we will continue to\nhold discussions with OCIO regarding the inclusion of Donate Now in its inventory for FISMA\nreporting. In addition, until we obtain clarification from OMB on its FISMA reporting\ninstructions, recommendation 8 will remain unresolved.\n\nWe appreciate the courtesy and cooperation of Smithsonian representatives during this\nevaluation. If you have any questions concerning this report, please call me at (202) 275-2154 or\nStuart Metzger at (202) 275-2159.\n\n\n\n\n                                                13\n\x0cSmithsonian Institution OIG        FY2005 FISMA Review\n\n\n\n\nAPPENDIX. MANAGEMENT COMMENTS\n\n\n\n\n                              14\n\x0cSmithsonian Institution OIG                 FY2005 FISMA Review\n\n\n\n\nAPPENDIX. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                              15\n\x0cSmithsonian Institution OIG                 FY2005 FISMA Review\n\n\n\n\nAPPENDIX. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                              16\n\x0cSmithsonian Institution OIG                 FY2005 FISMA Review\n\n\n\n\nAPPENDIX. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                              17\n\x0cSmithsonian Institution OIG                 FY2005 FISMA Review\n\n\n\n\nAPPENDIX. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                              18\n\x0cSmithsonian Institution OIG                 FY2005 FISMA Review\n\n\n\n\nAPPENDIX. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                              19\n\x0cSmithsonian Institution OIG                 FY2005 FISMA Review\n\n\n\n\nAPPENDIX. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                              20\n\x0c'